Controls Over The SEC’s Inventory Laptop Computers

5m ago
1.54 MB
35 Pages
Last View : 1d ago
Last Download : n/a
Upload by : Maxton Kershaw

U.S. SECURITIES AND EXCHANGE COMMISSIONOFFICE OF INSPECTOR GENERALControls Over the SEC’s Inventory of LaptopComputersSeptember 22, 2014Report No. 524i

UNITED STATESSECURITIES AND EXCHANGE COMMISSIONWASHINGTON, D.C. 20549OFFICE OFINSPECTOR GENERALMEMORANDUMSeptember 22, 2014TO:Jeffery Heslop, Chief Operating Officer, Office of the Chief Operating OfficerFROM:Carl W. Hoecker, Inspector General, Office of Inspector GeneralSUBJECT: Controls Over the SEC’s Inventory of Laptop Computers, Report No. 524Attached is the Office of Inspector General’s (OIG) final report detailing the results of our auditof the U.S. Securities and Exchange Commission’s (SEC) controls over its inventory of laptopcomputers. The report contains four recommendations for corrective action that, if fullyimplemented, should strengthen the SEC’s inventory controls over its laptop computers.On September 4, 2014, we provided you with a draft of our report for review and comment. Inyour September 16, 2014, response, you concurred with our recommendations. We haveincluded your response as Appendix III in the final report.Within the next 45 days, please provide the OIG with a written corrective action plan thataddresses the recommendations. The corrective action plan should include information suchas the responsible official/point of contact, timeframe for completing required actions, andmilestones identifying how your office will address the recommendations.We appreciate the courtesies and cooperation extended to us during the audit. If you havequestions, please contact me or Rebecca L. Sharek, Deputy Inspector General for Audits,Evaluations, and Special Projects.Attachmentcc:Mary Jo White, ChairErica Y. Williams, Deputy Chief of Staff, Office of the ChairLuis A. Aguilar, CommissionerPaul Gumagay, Counsel, Office of Commissioner AguilarDaniel M. Gallagher, CommissionerBenjamin Brown, Counsel, Office of Commissioner GallagherMichael S. Piwowar, CommissionerMark Uyeda, Counsel, Office of Commissioner PiwowarKara M. Stein, CommissionerRobert Peak, Advisor to the Commissioner, Office of Commissioner Stein

Anne K. Small, General Counsel, Office of the General CounselTimothy Henseler, Director, Office of Legislative and Intergovernmental AffairsJohn J. Nester, Director, Office of Public AffairsThomas A. Bayer, Director, Office of Information TechnologyPamela C. Dyson, Deputy Director, Office of Information TechnologyRhea Kemble Dignam, Regional Director, Office of the Regional Director, AtlantaRegional OfficeRoderick Goodwin, Assistant Regional Director, Office of the Assistant RegionalDirector for Operations, Atlanta Regional OfficeJulie K. Lutz, Regional Director, Office of the Regional Director, Denver RegionalOfficeChristopher Friedman, Assistant Regional Director, Office of the AssistantDirector of Regional Operations, Denver Regional OfficeAndrew Calamari, Regional Director, Office of the Regional Director, New YorkRegional OfficeDarlene L. Pryor, Management and Program Analyst, Office of the ChiefOperating Officer

U.S. SECURITIES AND EXCHANGE COMMISSIONOFFICE OF INSPECTOR GENERALExecutive SummaryWhy We Did This AuditLaptop computers (laptops) areportable and easy to conceal andoften contain sensitive information.Consequently, they are at risk ofloss and theft and must be properlysafeguarded and accounted for. Tosupport the agency’s mission,employees and contractors of theU.S. Securities and ExchangeCommission (SEC) use laptops,some of which process and storecommercially valuable, marketsensitive, proprietary, and othernonpublic information. However,recent Office of Inspector General(OIG) investigative and review workidentified weaknesses in the SEC’slaptop inventory records andencryption controls. We initiatedthis audit to evaluate theeffectiveness of the agency’sinformation technology (IT) inventoryprogram and its controls overlaptops.What We RecommendedOIT is undertaking an agencywideIT inventory, which includes laptops,and plans to replace its IT inventorymanagement system. However,additional actions are needed toimprove the agency’s controls overlaptops. We made fourrecommendations for correctiveaction that address policies andprocedures for maintaininginventories of laptops; coordinationbetween OIT organizations;notifications about unaccounted-forlaptops; and a review of IT inventorymanagement system useraccountability. Managementconcurred with therecommendations, which will beclosed upon completion andverification of corrective action.Controls Over the SEC’s Inventory of LaptopComputersReport No. 524September 22, 2014What We FoundTo evaluate the SEC’s IT inventory program and its controls overlaptops, we reviewed a statistical sample of 244 laptops assigned to theSEC’s headquarters and 3 of its regional offices. We also reviewed ajudgmental sample of an additional 244 laptops assigned to thoseoffices, for a total of 488 laptops reviewed. We determined that the SEChad addressed prior OIG recommendations about laptop accountabilityand has controls for safeguarding laptops throughout their lifecycles.However, we identified needed improvements.Specifically, the SEC’s IT inventory contained incorrect information for asignificant number of laptops. For example, Office of InformationTechnology (OIT) management decided not to update the inventory toreflect the correct location of 921 laptops that had been located at theOperations Center, which the SEC closed in October 2013. OIT plans toupdate the location information for these assets when the ongoingagencywide inventory is complete. The inventory also included incorrectlocation information for 82 (or about 17 percent) of the 488 laptops wereviewed, and incorrect user information for 105 (or about 22 percent) ofthe 488 laptops we reviewed. In addition, 24 laptops could not beaccounted for, and 4 laptops were in the custody of users although theassets were not included in the inventory. Finally, the SEC’s proceduresfor sharing information about lost or stolen laptops were inadequate.These weaknesses existed because personnel did not alwaysunderstand their roles and responsibilities, and related policies andprocedures were inadequate, had not been effectively communicated,and were not consistently followed. As a result of our testing, wequestioned the reliability of the SEC’s IT inventory and estimated that itmay reflect incorrect information for over 1,000 laptops. Furthermore,we estimated that as many as 202 laptops assigned to the locations wereviewed may be unaccounted for. By not ensuring that inventoryrecords are accurate and that all laptops are accounted for, the SEC isnot consistently safeguarding sensitive assets and may be unaware oflost or stolen laptops. In the event that lost, stolen, or otherwiseunaccounted-for laptops are not protected by encryption software, whichwe reported as a finding in our May 2014 Review of the SEC’s Practicesfor Sanitizing Digital Information System Media (Report No. 521), theSEC is at risk for the unauthorized release of sensitive, nonpublicinformation.We also identified a lack of segregation of duties and compensatingcontrols in the SEC’s IT inventory management system. Specifically, atleast 88 employees and contractors with access to and custody oflaptops also have the ability to delete asset records from the inventorydatabase. This creates opportunities for the misappropriation of laptopswithout management’s knowledge.For additional information, contact the Office of Inspector General at(202) 551-6061 or general.shtml.i

U.S. SECURITIES AND EXCHANGE COMMISSIONOFFICE OF INSPECTOR GENERALTABLE OF CONTENTSExecutive Summary . iBackground and Objectives .1Background . 1Objectives . 6Results .7Finding 1: The SEC’s Laptop Inventory Controls Need Improvement . 7Recommendations, Management’s Response, and Evaluation of Management’sResponse . 15Finding 2: Lack of Segregation of Duties and Compensating Controls in the ITSMSystem . 17Recommendation, Management’s Response, and Evaluation of Management’sResponse . 17Tables and FigureTable 1. Distribution of SEC Laptops by Location . 1Figure. Lifecycle of an SEC Laptop . 5Table 2. Statistical Sampling: Summary of Existence Testing Results andProjections of Incorrect IT Inventory Information by Location . 10Table 3. Judgmental Sampling: Summary of Completeness Testing Results andIncorrect IT Inventory Information by Location . 11Table 4. Statistical Sampling: Summary and Projections of Unaccounted-forLaptops by Location. 12AppendicesAppendix I. Scope and Methodology . 19Appendix II. Federal Laws and Guidance and SEC Administrative Regulations,Policies, and Procedures . 24Appendix III. Management Comments . 26Appendix IV. OIG Response to Management Comments . 28ABBREVIATIONSAMBAROCSIRCDROGAOITITSMlaptopREPORT NO. 524Asset Management BranchAtlanta Regional OfficeComputer Security Incident Response CenterDenver Regional OfficeGovernment Accountability Officeinformation technologyInformation Technology Service Managementlaptop computeriiSEPTEMBER 22, 2014

U.S. SECURITIES AND EXCHANGE COMMISSIONNYROOIGOITOMBRev.RFIDSECSECRREPORT NO. 524OFFICE OF INSPECTOR GENERALNew York Regional OfficeOffice of Inspector GeneralOffice of Information TechnologyOffice of Management and BudgetRevisionradio frequency identificationU.S. Securities and Exchange CommissionSEC Administrative RegulationiiiSEPTEMBER 22, 2014

U.S. SECURITIES AND EXCHANGE COMMISSIONOFFICE OF INSPECTOR GENERALBackground and ObjectivesBackgroundBecause of their portability, ease of concealment, and the sensitivity of the informationthey often contain, laptop computers (laptops) are at risk of loss and theft and must beproperly safeguarded and accounted for. To support the agency’s mission, employeesand contractors of the U.S. Securities and Exchange Commission (SEC) use laptops –some of which process and store nonpublic information1 – in their offices, at alternatework locations, and while on official travel. According to the SEC’s InformationTechnology Service Management (ITSM) system, as of April 1, 2014, the agency’sinformation technology (IT) inventory included a total of 5,525 laptops distributed tousers at the SEC’s headquarters in Washington, D.C., its Operations Center (which theSEC closed in October 2013),2 its 11 regional offices,3 and its 2 data centers. Table 1describes the purported distribution of these laptops.Table 1. Distribution of SEC Laptops by LocationSEC LocationNumber ofLaptopsHeadquartersPercentage ofTotal2,79550.59%92116.67%1,72631.24%Data Centers2.04%No Location4Identified811.47%Operations CenterRegional OfficesTotal5,525100.01%aSource: The SEC’s ITSM system as of April 1, 2014.aThe total percentage does not equal 100 due to rounding.1SEC Administrative Regulation SECR 23-2a, Safeguarding Non-Public Information, January 21, 2000,defines nonpublic information as “information generated by or in the possession of the SEC that iscommercially valuable, market sensitive, proprietary, related to an enforcement or examination matter,subject to privilege, or otherwise deemed non-public by a division director or office head, and nototherwise available to the public.”2In October 2013, the SEC closed the Operations Center located in Alexandria, Virginia, and movedpersonnel and the assets assigned to those personnel, including laptops, to the agency’s headquarters.3The SEC’s regional offices are located in Atlanta, Boston, Chicago, Denver, Fort Worth, Los Angeles,Miami, New York, Philadelphia, Salt Lake City, and San Francisco.4The SEC’s ITSM system did not include a physical location for these 81 laptops.REPORT NO. 5241SEPTEMBER 22, 2014

U.S. SECURITIES AND EXCHANGE COMMISSIONOFFICE OF INSPECTOR GENERALIn March 2008, the Office of Inspector General (OIG) reported that the SEC did noteffectively account for laptops. As stated in Inspection Report No. 441, Controls OverLaptops, we found that the SEC’s property management guidance did not identifylaptops as sensitive property,5 and the SEC’s Office of Information Technology (OIT)had not performed an SEC-wide baseline inventory of laptops since 2003. Becausethere was no baseline inventory, the OIG was unable to trace custody of laptops tospecific individuals. As a result, we made five recommendations to strengthen controlsover the SEC’s laptop inventory. Management concurred with the recommendationsand implemented corrective actions, including designating laptops as sensitive propertyand developing a methodology for accounting for sensitive property such as laptops.6However, in August 2013, the OIG began investigating reports of stolen SEC laptopsand identified inaccurate inventory records.Federal Guidance. The Office of Management and Budget (OMB) Circular A-123,Management’s Responsibility for Internal Control, establishes guidance for internalcontrol in Federal agencies. According to the Circular, Federal managers areresponsible for establishing and maintaining internal control to achieve the objectives of(1) effective and efficient operations, (2) reliable financial reporting, and (3) compliancewith applicable laws and regulations. The safeguarding of assets is a subset of theseobjectives. Specifically, Federal managers should design controls to providereasonable assurance of preventing or promptly detecting unauthorized acquisition,use, or disposition of assets.7 Therefore, the SEC’s controls over laptops should bedesigned to provide reasonable assurance that laptops support the agency’s missionand are safeguarded throughout their lifecycles.SEC Administrative Regulations, Policies, and Procedures. Various SEC propertymanagement and IT administrative regulations, policies, and procedures addresscontrols over the agency’s laptops. The documents establish roles and responsibilitiesfor laptop inventory management and describe the agency’s asset managementinformation systems. The agency’s primary property management directive is SECAdministrative Regulation SECR 09-02, Revision (Rev.) 1, Property ManagementProgram (SECR 09-02), which designates laptops as sensitive property. Additionalpolicies and procedures that establish controls over laptops and asset managementinclude, but are not limited to, the following:5According to SEC Administrative Regulation SECR 09-02, Revision 1, Property Management Program,September 11, 2012, the SEC defines “sensitive property” as “items designated by [Office of InformationTechnology] Information Security to have characteristics deemed sensitive from a data perspective andvital to continued operations and, if lost, could negatively affect the agency’s image.”6U.S. Securities and Exchange Commission, Office of Inspector General, Inspection Report No. 441,Controls Over Laptops, March 31, 2008. The report can be accessed MB Circular A-123 Revised, Management’s Responsibility for Internal Control, December 21, 2004,Attachment pp. 6 and 7.REPORT NO. 5242SEPTEMBER 22, 2014

U.S. SECURITIES AND EXCHANGE COMMISSIONOFFICE OF INSPECTOR GENERAL SEC ISS-AM-PD-0022, AMB Receiving Procedure (Draft), July 12, 2013; SEC ISS-AM-PD-0022, Maintenance, Repair, and Return Material AuthorizationProcedure (Draft), July 29, 2013; and SEC OIT, Security Operations, SEC Incident Response Capability Handbook,April 2014.Appendix II lists other relevant SEC policies and procedures.Roles and Responsibilities. According to the SEC’s regulations, policies, andprocedures, several offices within the OIT share responsibility for maintainingaccountability for the agency’s laptops. These offices include the OIT’s AssetManagement Branch (AMB), the Computer Security Incident Response Center(CSIRC), and the Service Desk. The AMB is responsible for receiving physical assetsincluding laptops, updating the SEC’s inventory records, and ensuring that laptops aremanaged according to sensitive property requirements.8 The CSIRC is responsible forresponding to information system security incidents such as reports of lost or stolenlaptops.9 And the Service Desk is responsible for collecting requests for additional ITassets including laptops and updating the ITSM system.10SEC directors, office heads, and regional office IT Specialists are alsoresponsible for maintaining accountability for laptops. Specifically, directors and officeheads are responsible for maintaining control over property assigned to their respectiveorganizations, including sensitive property such as laptops.11 Regional office ITSpecialists are responsible for the shipment, receipt, and distribution of IT assets(including laptops) returned for maintenance as well as for notifying the AMB of theiractions and updating the ITSM system accordingly.12 SEC employees and contractorstaff are responsible for ensuring the proper use, care, and protection of all personalproperty (including laptops) in their possession, and for reporting immediately tosupervisors any personal property that is lost, missing, damaged, or destroyed.13Asset Management Information Systems Used to Track Laptops. In addition toassigning roles and responsibilities, SEC policies and procedures describe the followingsystems used for asset management: the ITSM system, RF Code , and Computrace .These systems are used to collect and track data such as a laptop’s asset tag number,serial number, manufacturer, location, and assigned employee, and can assist inlocating lost or stolen assets. Collectively, each laptop’s asset tag number, serial8SEC ISS-AM-PD-0022, p. 2, and SECR 09-02, Section 1-6 N.2, p. 12 and Section 6-2 E, p. 31.9Securities and Exchange Commission, Office of Information Technology, Security Operations, SECIncident Response Capability Handbook, April 2014, p. 1.10SECR 09-02, Section 1-5, p. 6, and Section 2-4 A, p. 16.11SECR 09-02, Section 1-6 F, p. 8, and Section 6-2 E.1, p. 31.12SEC ISS-AM-PD-0022, p. 2.13SECR 09-02, Section 1-6 P, p. 14.REPORT NO. 5243SEPTEMBER 22, 2014

U.S. SECURITIES AND EXCHANGE COMMISSIONOFFICE OF INSPECTOR GENERALnumber, and RF Code create a unique identifier that is used to track the assetthroughout its lifecycle.The ITSM system is considered the SEC’s IT inventory management system 14 andprimary mechanism for ensuring accountability for the agency’s IT assets, includinglaptops. The system contains a record of each SEC IT asset with a purchase pricegreater than 350. The system includes a subcomponent called the ConfigurationManagement Database, which is used to baseline and manage the inventory of all ITassets, including laptops. It also has an IT ticketing component that the OIT’s ServiceDesk uses to request maintenance and repair of IT assets and to track assets whenchanges in custody occur during the lifecycle of the asset.15The SEC also uses RF Code and Computrace to manage and track IT assets suchas laptops. These two systems play key roles in locating lost or stolen laptops. RFCode is comprised of radio frequency identification (RFID) transmitters, RFID readers,and a database. Before entering laptops in the SEC’s inventory, OIT staff mount anRFID transmitter on each asset. Staff then enter each laptop’s unique identifier into theRF Code database along with the unique tag number from the assigned RFIDtransmitter. RFID readers located throughout the SEC’s headquarters and regionaloffices read the active transmissions from the laptops’ RFID transmitters, therebyproviding real-time location information about the laptops within each SEC facility.Computrace is also installed on a laptop before it is issued to an end user. When auser logs into an internet service provider, the Computrace software will report to theSEC the user’s identification and the laptop’s location. Computrace complements RFCode by providing real-time position and user information for laptops outside of theSEC’s facilities and, therefore, outside the range of the RFID readers. During ourtesting of the accuracy and completeness of the ITSM system, we were able to locateseveral laptops with RF Code and Computrace that we could not locate using theITSM system alone.Lifecycle of an SEC Laptop. SEC laptops pass through several stages from initialreceipt from a manufacturer to disposal. The figure below illustrates each stage, thenecessary inventory updates that should occur during each stage, the types ofinformation that should be collected, the system(s) that should be updated, and theoffice responsible for completing the updates.14SECR 09-02, Section 1-5, p. 6.15SECR 09-02, p. 6.REPORT NO. 5244SEPTEMBER 22, 2014

U.S. SECURITIES AND EXCHANGE COMMISSIONOFFICE OF INSPECTOR GENERALFigure. Lifecycle of an SEC LaptopResponsible Office:AMBLifecycle StageReceive laptops fromthe manufacturer andadd them to theinventoryAMBAMBLaptops are stored inthe warehouseIssue laptop to ServiceDesk or regional ITSpecialistService Desk or regionalIT Specialist issue thelaptop to an end-userComputrace isinstalled prior toreleasing thelaptopThe released laptop has a statuschange (new end-user, repair,change in location,maintenance, etc.)Affix laptoptracking tagsService Desk/Regional IT SpecialistAMBAt the end of its usefullife, the laptop isscheduled for disposalOIT SystemsUpdatedData CollectedService Desk or regional ITSpecialist updates the assetrecord in the inventory toreflect the status change.Numbers fromthe OIT/Assettag and gementand RF Code iceManagementSource: OIG generated. Legend: ProcessREPORT NO. 524LaptoplocationinformationEnd user’sname andlocationInformationTechnology ServiceManagement andComputrace DataTracking tagsnumbers, end user’sname and location,and Computrace licenseInformationTechnology ServiceManagement,RFCode , andComputrace DatabaseSEPTEMBER 22, 2014

U.S. SECURITIES AND EXCHANGE COMMISSIONOFFICE OF INSPECTOR GENERALObjectivesOur objective was to evaluate the effectiveness of the SEC’s IT inventory program andits controls over laptops. Specifically, we sought to determine whether the OIT had established policies, procedures, and supportingdocumentation to properly identify, track, and safeguard the SEC’s laptopsthroughout their lifecycles; evaluate the SEC’s procedures for receiving laptops and adding them to the ITinventory; evaluate the SEC’s procedures for updating the status of laptops in the ITinventory; evaluate the SEC’s procedures for reporting lost or stolen laptops; assess the IT controls over the information systems used to track laptops; and evaluate whether the SEC effectively addressed prior recommendations forcorrective action from the OIG’s Inspection Report No. 441, Controls OverLaptops.To accomplish our objectives, we selected from the SEC’s IT inventory a statisticalsample of 244 laptops. We also selected a judgmental sample of an additional244 laptops, for a total of 488 laptops reviewed. We chose to select assets assigned tothe SEC’s headquarters and 3 of its 11 regional offices: the Atlanta Regional Office(ARO), the Denver Regional Office (DRO), and the New York Regional Office (NYRO).According to the ITSM system, there were a total of 3,601 laptops assigned to theselocations, or about 65 percent of the SEC’s total population of 5,525 laptops as ofApril 1, 2014.Appendices I and II include additional information on our scope and methodology;review of internal controls; sampling methodology; prior coverage; and the applicableFederal laws and guidance and SEC regulations, policies, and procedures.REPORT NO. 5246SEPTEMBER 22, 2014

U.S. SECURITIES AND EXCHANGE COMMISSIONOFFICE OF INSPECTOR GENERALResultsFinding 1: The SEC’s Laptop Inventory Controls NeedImprovementTo ensure that assets are properly safeguarded, OMB Circular A-123 requires Federalmanagers to establish controls that provide reasonable assurance of preventing orpromptly detecting unauthorized acquisition, use, or disposition of assets.16 Wedetermined that the SEC had addressed the OIG’s prior recommendations about laptopaccountability. In addition, the agency has policies, procedures, and IT systems foridentifying, tracking, and safeguarding sensitive property, including laptops, throughouttheir lifecycles. The procedures include controls for receiving laptops, maintaininginventory records, and reporting lost or stolen laptops. Finally, the SEC’s primarymechanism for ensuring accountability for its laptops is the ITSM system. However, weidentified needed improvements in the SEC’s IT inventory program and controls over itslaptops. Specifically, we determined the following: The SEC’s IT inventory contained incorrect information for a significant numberof laptops. For example, OIT management decided not to update the inventoryto reflect the correct location of 921 laptops that had been located at theOperations Center, which the SEC closed in October 2013. OIT plans to updatethe location information for these assets when the ongoing agencywide inventoryis complete. The inventory also did not specify a location for another 81 laptops.Finally, the inventory included incorrect location information for 82 (or about17 percent) of the 488 laptops we reviewed and incorrect user information for105 (or about 22 percent) of the 488 laptops we reviewed. Twenty-four laptops included in the inventory and selected for review could notbe accounted for.17 The SEC’s procedures for sharing information about lost or stolen laptops wereinadequate.These weaknesses existed because personnel did not always understand their rolesand responsibilities; and related policies and procedures were inadequate, had not beeneffectively communicated to regional office personnel, and were not consistentlyfollowed. As a result of our testing, we questioned the reliability of the SEC’s ITinventory and estimated that it may reflect incorrect location and/or user information forover 1,000 laptops, or nearly one-third of the 3,601 assets assigned to the locations wereviewed. Furthermore, we estimated that as many as 202 laptops assigned to the16OMB Circular A-123, p. 7.17We considered a laptop “accounted for” if: (1) we physically observed the laptop; (2) the person inpossession of the laptop provided correct identifying information by email; or (3) an SF-120, Report ofExcess Personal Property, was provided for the laptop.REPORT NO. 5247SEPTEMBER 22, 2014

U.S. SECURITIES AND EXCHANGE COMMISSIONOFFICE OF INSPECTOR GENERALlocations we reviewed may be unaccounted for. By not ensuring that inventory recordsare accurate and that all laptops are accounted for, the SEC may be unaware of lost orstolen laptops. In the event that lost, stolen, or otherwise unaccounted-for laptops arenot protected by encryption software, which we reported as a finding in our May 2014Review of the SEC’s Practices for Sanitizing Digital Information System Media (ReportNo. 521), the SEC is at risk for the unauthorized release of sensitive, nonpublicinformation.The SEC’s IT Inventory Contained Incorrect Information. According to SEC policy,AMB and IT Service Desk personnel update the SEC’s IT inventory,18 and ensure thatlaptops are managed according to sensitive property requirements. Regional office ITSpecialists are also responsible for keeping the AMB informed and updating the ITSMsystem. We determined that AMB staff received laptops and added them to theinventory.19 However, we reviewed the SEC’s inventory records and selected astatistical sample of 244 laptops and a judgmental sample of an additional 244 laptops(for a total of 488 laptops reviewed)20 and determined that SEC personnel had notensured that the inventory contained accurate information.For example, 921 laptops in the inventory were reported as assigned to the SEC’sOperations Centers, which the SEC closed in October 2013. When asked why assetswere still assigned to the Operations Center although they had been moved to theSEC’s headquarters or other facilities, AMB personnel stated that OIT managementdecided not to update the assets’ location in the ITSM system until personnel completethe agencywide inventory initiated in April 2014. The inventory is expected to becomplete by the end of 2014. We also noted that the inventory did not specify alocation for another 81 laptops.In addition, we determined that the inventory included incorrect location information for82 (or about 17 percent) of the 488 laptops included in our sample. Of the 82 laptopswe reviewed with incorrect location information,

Sep 22, 2014 · U.S. SECURITIES AND EXCHANGE COMMISSION OFFICE OF INSPECTOR GENERAL REPORT NO. 524 1 SEPTEMBER 22, 2014 Background and Objectives Background Because of their portability, ease of concealment, and the sensitivity of the information they often contain, laptop computers (la